This Privacy Policy explains how Quote & Cut (“we”, “us”, “our”) collects, uses, shares and protects personal data when you use https://www.quoteandcut.com (the “Website”), purchase our products/services, install or use our WordPress plugin, use our API/licensing/nesting services, or interact with us. We are based in the United Kingdom and aim to comply with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (“PECR”) where they apply.

Data controller: Quote & Cut
Registered address: Bulleigh Barton Farm, Ipplepen,
Newton Abbot, TQ12 5UA
Contact email: info@quoteandcut.com

1. Our role: controller and processor

For Website visitors, account holders, subscribers, purchasers and support contacts, Quote & Cut is usually the data controller because we decide why and how that personal data is used for account management, billing, licensing, support, security and service communications.

If you are a store owner using the Quote & Cut WordPress/WooCommerce plugin, you are usually the data controller for personal data and files submitted by your own customers through your website. For job data we process through the hosted Quote & Cut API on your instructions, we usually act as your processor. We may still act as controller for our own licensing, billing, security, abuse-prevention, audit, quota and support records.

2. What personal data we collect

We may collect the following categories of personal data:

  • Identity & contact data: name, business name, email address, telephone number, billing address, shipping address if used, account contact details and support contact details.
  • Account data: username, password in hashed/encrypted form, account preferences, role/permissions, account status, login/session data and security settings.
  • Order, subscription & billing data: products/services purchased, order history, subscription status, renewal dates, cancellations, plan changes, invoices, taxes, customer notes, subscription IDs and related WooCommerce records.
  • Payment-related data: payment status, transaction references, payment method type, payment-provider tokens/references and failed-payment/chargeback status. We do not receive or store your full card number on our servers.
  • Licensing & API data: API Key identifiers, hashed API keys, key IDs, plan tier, quota limits, quota usage, quota cycle dates, grace status, activation token status, bound domain, site UUID, site URL/domain, webhook/signing-secret status, API request metadata and licence events.
  • Plugin/site data: WordPress site URL/domain, generated site UUID, plugin version, plan feature checks, setup wizard data, material-market/feed requests, saved API key use, and technical information sent by the plugin when it connects to our services.
  • Job, quote & manufacturing workflow data: cleaned geometry/job data derived from DXF files, selected materials, sheet size/cost/gap data, quantities, dimensions, cut metrics, areas, perimeters, pierce counts, nesting configuration, quote context, job IDs, layout export requests, secondary process selections such as folding or powder coating, and related order/job metadata.
  • Files and generated outputs: in the standard plugin workflow, original DXF files are generally stored on the subscriber’s own WordPress site rather than sent to our hosted API as raw files. We may process generated/derived job data and layout/export data through the API. We may receive original files, screenshots, logs or drawings if you send them to us for support or troubleshooting.
  • Communications: messages you send us through forms, email or support channels, our replies, feedback, issue reports and records of service notices sent to you.
  • Technical, security & usage data: IP address, user-agent, browser/device data, approximate location from IP, referral source, pages viewed, actions taken, request path, timestamps, rate-limit counters, security logs, audit logs, blocklist records and error logs.
  • Marketing data: marketing preferences, email engagement data and consent/opt-out records where applicable.
  • Cookies & similar technologies: identifiers and preferences stored on your device, as explained in the Cookies section below.

3. Data stored by the plugin on subscriber websites

If you use the Quote & Cut plugin on your own WordPress/WooCommerce site, the plugin may store data on your own website/server, including uploaded original DXF files, generated preview images, customer-provided folding drawings, returned layout files, related job data, quote-context hashes/signatures, file paths, cart/session data, WooCommerce order item metadata, plugin settings and diagnostic/pricing breakdowns if enabled.

Abandoned quote folders that are not attached to an order are eligible for automatic cleanup after a grace period, currently 48 hours by default. Files attached to WooCommerce orders are retained by the store owner for fulfilment unless manually removed or handled under the store owner’s own retention policy. Store owners should explain this in their own privacy notice before enabling file uploads and cloud processing.

4. Where we get personal data from

We may collect personal data from:

  • You directly when you create an account, place an order, start or manage a subscription, generate activation tokens, contact support, fill out forms or send us files/logs.
  • Your installed plugin or website when it activates a licence, refreshes plan status, sends quote/nesting requests, requests layout exports, uses market-index/exchange-rate feeds, or receives licence webhooks.
  • Your own customers or users indirectly where their file names, job data, order details or quote data are processed through the plugin/API workflow on your instructions.
  • Automatically when you browse the Website or use the Hosted Service, including through server logs, cookies, security tools and analytics where enabled.
  • Service providers such as payment providers, hosting providers, email providers, fraud/security tools, analytics providers and support tools.

5. How we use personal data and our lawful bases

Under UK GDPR, we must have a lawful basis for processing personal data. We typically rely on the following:

  • To provide the Website, Account, Plugin and Hosted Service including account creation, API key creation, activation tokens, site binding, licence checks, plan-tier checks, quota management, nesting/quote processing, layout exports, support and service administration.
    Lawful basis: performance of a contract; legitimate interests.
  • To process orders, subscriptions and payments including renewals, failed payments, cancellations, invoices, subscription status changes and payment-provider communications.
    Lawful basis: performance of a contract; legal obligation; legitimate interests.
  • To run licensing, quota, rate-limit and abuse-prevention controls including API key validation, bound-site checks, domain/site UUID checks, quota counters, grace periods, blocklists, security alerts and audit events.
    Lawful basis: performance of a contract; legitimate interests in protecting the Service and preventing misuse.
  • To process job and quote data including cleaned geometry, material and nesting data submitted by the plugin so the Hosted Service can produce quote/nesting results and layout exports.
    Lawful basis: performance of a contract with the subscriber; where we act as processor, the subscriber’s documented instructions and lawful basis apply.
  • To maintain, secure and troubleshoot the Service including logging, debugging, backups, monitoring, fraud prevention, investigating suspicious activity and resolving technical issues.
    Lawful basis: legitimate interests; legal obligation where applicable.
  • To communicate with you including order confirmations, renewal reminders, quota warnings, quota exhausted/grace-ended notices, plan-change notices, security notices, support replies and important service updates.
    Lawful basis: performance of a contract; legitimate interests; legal obligation where applicable.
  • To improve the Website and Service including performance monitoring, analytics, product improvements, testing, debugging and feature planning.
    Lawful basis: legitimate interests; consent where required for cookies or similar technologies.
  • To send marketing messages such as newsletters, offers or product updates where permitted.
    Lawful basis: consent; and/or legitimate interests where the “soft opt-in” applies, subject to your right to opt out.
  • To comply with legal, tax, accounting, regulatory and dispute-resolution obligations including record keeping, responding to valid legal requests and enforcing our Terms.
    Lawful basis: legal obligation; legitimate interests; establishment, exercise or defence of legal claims where applicable.

6. Plugin/API workflow and customer files

The Quote & Cut plugin requires an active Quote & Cut account and API key. Core nesting, quote calculation and layout generation are provided by the hosted Quote & Cut service at api.quoteandcut.com and are not performed entirely inside WordPress.

Depending on your workflow and settings, the plugin may send cleaned geometry/job data derived from uploaded DXF files, selected materials, quantities, dimensions, cut metrics, job configuration, site identifiers and related order/job metadata to Quote & Cut for processing. The plugin also sends the configured API key, a site UUID and the site domain in request headers for licensing, validation, usage tracking and abuse prevention.

In the standard workflow, original DXF files are stored on the subscriber’s WordPress site for quote and order reference rather than being sent as raw files to the hosted nesting service. If you send original DXF files or other files to us for support, we will process them to provide support and troubleshoot the Service.

7. Subscriptions and recurring payments

If you purchase a subscription, we process data needed to create and manage that subscription, including renewals, cancellations, plan changes, failed payments, payment status, invoices, taxes and access to the Hosted Service. Depending on your payment method, the payment provider shown during checkout may store a token or reference to your payment method to enable recurring billing. We do not store full card details on our servers.

8. Marketing preferences

You can opt out of marketing at any time by using the “unsubscribe” link in our emails, adjusting your account preferences where available, or contacting us at info@quoteandcut.com.

We may still send non-marketing service messages where necessary, such as payment confirmations, invoices, security notices, quota warnings, API key notices, changes to our terms, or important Service updates.

9. Cookies and similar technologies

We use cookies and similar technologies to make the Website work, remember preferences, support account login, support checkout/cart/subscription functionality, protect the Website, understand usage and, where enabled, measure campaigns.

  • Strictly necessary cookies: required for core site functions such as login, account security, cart, checkout, subscription management and fraud/security controls.
  • Functional cookies: remember preferences and settings.
  • Analytics cookies: help us understand how the Website is used and improve it, where enabled and permitted.
  • Marketing cookies: help measure campaigns or show relevant offers, where enabled and permitted.

Where required, we will ask for consent before setting non-essential cookies. You can also control cookies through your browser settings. Disabling strictly necessary cookies may prevent parts of the Website, account area, cart or checkout from working properly.

10. Who we share personal data with

We may share personal data with trusted third parties where needed to operate our business and deliver the Service, such as:

  • Payment providers: the payment provider(s) shown during checkout and subscription management.
  • Website, hosting and infrastructure providers: hosting, server, database, queue, CDN, DNS, backup, monitoring and security providers.
  • WordPress/WooCommerce-related services: services required to operate the Website, account area, subscriptions, emails and checkout.
  • Email and notification providers: providers used for transactional emails, quota notices, account notices and support communications.
  • Customer support tools: helpdesk, ticketing or communication tools where used.
  • Analytics and cookie tools: only where enabled and permitted by your cookie choices or applicable law.
  • Fraud prevention, abuse-prevention and security services: to protect the Website, Hosted Service, customers and systems.
  • Professional advisers: accountants, insurers, lawyers and other advisers where necessary.
  • Regulators, law enforcement, courts and authorities: where required by law or where we reasonably need to protect our rights, users or the Service.
  • Business transfer parties: if we sell, reorganise or transfer all or part of our business, subject to appropriate safeguards.

We only share personal data where we have a reason to do so and require service providers to protect it and use it only for the purposes agreed with us.

11. International data transfers

Some service providers may process personal data outside the UK. Where personal data is transferred internationally, we will take steps to ensure appropriate safeguards are in place, such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.

12. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described in this Policy, including to provide the Service, meet legal/accounting obligations, resolve disputes, maintain security, enforce our Terms and protect our rights. Typical retention periods include:

  • Orders, invoices, tax and accounting records: usually up to 6 years.
  • Account and subscription records: for as long as your account or subscription remains active and for a reasonable period afterwards for records, disputes, fraud prevention, security and compliance.
  • API keys, licensing and quota records: for as long as needed to provide and secure the Service, manage subscriptions, enforce quotas and maintain audit records.
  • Activation tokens: short-lived and deleted or invalidated after use or expiry.
  • Hosted nesting/API jobs: active, completed and failed jobs are retained temporarily while queued, processed, acknowledged, expired or retained briefly for troubleshooting before automatic removal. Completed jobs are normally removed after acknowledgement or shortly after completion; failed jobs may be retained for a short period for troubleshooting.
  • Plugin files stored on subscriber websites: controlled by the subscriber/store owner. Abandoned quote folders are eligible for automatic cleanup after a grace period, currently 48 hours by default; order files are retained by the store owner for fulfilment unless manually removed or covered by the store owner’s policy.
  • Support communications: for as long as needed to resolve issues and maintain service records.
  • Security, rate-limit and audit logs: for as long as needed for security, abuse prevention, troubleshooting, legal compliance and service integrity.
  • Marketing data: until you unsubscribe, withdraw consent or we otherwise stop using it.

13. Security

We use appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss or destruction. These may include access controls, hashed keys/passwords where appropriate, token/signature checks, rate limits, logging, monitoring, backups and secure service-provider arrangements. However, no internet transmission, website, API, hosting environment or storage system is completely secure. You must also protect your own account credentials, API Keys, Activation Tokens, WordPress admin accounts, hosting, backups and customer files.

14. Automated technical checks

We use automated technical checks to operate and protect the Service. These may include licence validation, API key status checks, site/domain binding, quota counting, rate limiting, job safety/complexity checks, payment/subscription status checks, security blocks and abuse-prevention rules. These checks may affect whether a request is accepted, queued, rejected, throttled, blocked or allowed to continue. We do not generally use automated decision-making or profiling that produces legal or similarly significant effects about individuals.

15. Your data protection rights (UK GDPR)

Subject to certain conditions, you have rights including:

  • Right of access – request a copy of your personal data.
  • Right to rectification – correct inaccurate or incomplete data.
  • Right to erasure – request deletion of your data where applicable.
  • Right to restrict processing – ask us to limit processing in certain circumstances.
  • Right to data portability – receive certain data in a portable format.
  • Right to object – object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent – where we rely on consent, you can withdraw it at any time.

To exercise your rights, contact us at info@quoteandcut.com. We may need to verify your identity before responding.

If your request relates to personal data held by a store owner using the Quote & Cut plugin on their own website, you should contact that store owner first. We may need to refer the request to them where they are the controller of that data.

16. Complaints

If you have concerns about how we handle your data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Telephone: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/

17. Children

Our Website and services are not intended for children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us.

18. Third-party links and customer websites

The Website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties.

Websites operated by Quote & Cut subscribers are controlled by those subscribers, not by us. If you upload files or request a quote on a subscriber’s website, you should review that website’s own privacy notice and terms.

19. Changes to this Privacy Policy

We may update this Policy from time to time. The “Last updated” date below shows when it was most recently revised. If changes are significant, we may provide additional notice, for example by email, Account notice or Website notice.

20. Contact us

If you have questions about this Privacy Policy or our data practices, contact:
Quote & Cut
Email: info@quoteandcut.com
Address: Bulleigh Barton Farm, Ipplepen,
Newton Abbot, TQ12 5UA

Last updated: 28 May 2026